Configuration Review Providers
Configuration review is a detailed assessment of system, network, and application configurations against security best practices and industry benchmarks such as CIS Benchmarks, NIST guidelines, and vendor hardening guides. Reviewers examine operating system configurations, network device settings, firewall rules, database configurations, web server setups, cloud service configurations, and Active Directory policies to identify misconfigurations that could be exploited by attackers.
Common findings include default credentials, unnecessary services, overly permissive access controls, weak encryption settings, missing security patches, and inadequate logging configurations. Configuration review is a proactive approach that helps organisations reduce their attack surface and ensure that systems are deployed securely. It is often performed as part of a broader security assessment programme alongside penetration testing and vulnerability assessment.
Configuration reviews are required or recommended by compliance frameworks including PCI DSS, ISO 27001, SOC 2, CIS Controls, Cyber Essentials, and NIST CSF. Regular configuration reviews help maintain a secure baseline as systems are updated, new services are deployed, and configurations drift over time.
SECFORCE
Leading UK offensive security consultancy based in Canary Wharf, delivering CREST-accredited penetration testing and adversary simulation to organisations with the most demanding security requirements.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
NetSPI
Leading penetration testing firm with the Resolve platform for continuous attack surface management, trusted by nine of the top ten US banks.
Trustwave
Global managed security provider with the elite SpiderLabs penetration testing team and deep PCI DSS compliance expertise.
Pentest People
CREST and CHECK-accredited UK penetration testing firm with an innovative SecurePortal platform and transparent pricing for mid-market organizations.
Bishop Fox
Premier US-based offensive security firm known for elite penetration testers, cutting-edge research, and the Cosmos continuous attack surface management platform.
Rapid7
Creators of Metasploit offering enterprise penetration testing integrated with their comprehensive vulnerability management and security operations platform.
Coalfire
Compliance-focused cybersecurity advisory firm and FedRAMP 3PAO specializing in penetration testing that meets stringent regulatory requirements.
Claranet
CREST and CHECK-accredited European managed services provider delivering penetration testing with deep infrastructure and cloud hosting expertise.
Trail of Bits
Elite security research firm specializing in source code review, blockchain auditing, and building industry-standard open-source security tools.
Cure53
Berlin-based specialists in web security, browser security, and cryptographic auditing, trusted by the world's leading VPN providers and privacy tools.
Configuration Review FAQs
What systems can be reviewed?+
Configuration reviews cover Windows and Linux servers, network devices (routers, switches, firewalls), databases, web servers, cloud platforms (AWS, Azure, GCP), Active Directory, and application servers.
What benchmarks are used?+
Common benchmarks include CIS Benchmarks, NIST 800-123, vendor hardening guides (Microsoft, Red Hat, Cisco), DISA STIGs for government systems, and PCI DSS requirements for payment card environments.
How often should configuration reviews be performed?+
Configuration reviews should be performed at least annually, after significant infrastructure changes, and when deploying new systems. Automated configuration monitoring can supplement periodic manual reviews.